Prefetching, a process optimizing system performance by loading data into memory before needed, generates valuable artifacts in the form of .pf files. These files, stored in the Prefetch directory, contain embedded timestamps, providing insights into a program's first and last time of execution.
First Execution Timestamp:
Derived from the creation date of the .pf file (minus 10 seconds).
Considered the "first time we know of the file being executed."
Last Execution Timestamp:
Extracted from the last modification date of the .pf file (minus 10 seconds).
Embedded timestamps within the .pf file also capture last execution time(s).
Pro Tip:
A .pf file's creation doesn't guarantee the program's successful execution. Verification through additional artifacts is crucial, especially when dealing with potentially "broken" programs attempting execution.
These techniques, while valuable for forensic analysis, acknowledge the limitations posed by the prefetch entry limit. Leveraging file system timestamps alongside embedded timestamps enriches the understanding of program execution timelines.
Tool: PECmd.exe-->
(Command for prefetching the directory on live computer and saving into excel/Jason file if you have don't have image or you didn't created)
Command 1 - PECmd.exe -d "C:\Windows\Prefetch" --csv "C:\Users\User\Downloads" --csvf output.csv or --json c:\temp\json
For fetching particular .pf file using PECmd
Command 2 - PECmd.exe -f "C:\Windows\Prefetch\CALC.EXE-3FBEF7FD.pf"
Link of tool: https://github.com/EricZimmerman/PECmd
Prefetch File Analysis - Examples
Volume Information and File Sections:
Reveals files opened by the application within the crucial 10 seconds of execution.
Includes full path and disk volume details, offering insights into accessed files and potential malicious activity.
Discover malicious DLLs or crucial documents accessed by the application.
Identify hidden data locations or interesting folders related to the investigation.
Parsing Entire Prefetch Directories:
PECmd generates two output files for directory parsing.
Embedded Information File: Captures run count, last run times, and referenced files for each .pf file.
Timeline View File: Presents a timeline of embedded timestamps for easy identification of closely executed items.
Both output files are formatted in tab-separated values (TSV) for convenient analysis.
By leveraging PECmd, forensic analysts can gain comprehensive visibility into program execution details, aiding in the identification of potential threats and hidden activities.
Akash Patel
Kommentare